H3-2026-0005¶
Web Application UNC Absolute Path Traversal Vulnerability
| Category | VULNERABILITY |
| Base Score | 7.5 |
Description¶
A web application was found to process user-supplied UNC paths (\\server\share), triggering an outbound SMB connection. This can be exploited to capture NTLMv2 authentication hashes or relay credentials to other services.
Impact¶
An attacker can coerce the web application's service account to authenticate to an attacker-controlled SMB server, capturing NTLMv2 hashes. These hashes can be cracked offline or relayed to other services to gain unauthorized access. If the web application runs as a domain-joined machine account or privileged service account, this can lead to further compromise.